关联漏洞
描述
(0day) Local Privilege Escalation in IObit Malware Fighter
介绍
# Description
* The PoC program exploits the IMFForceDelete driver which exposes an ioctl that allows unprivileged users to delete files and folders. We can turn this into a privilege escalation by using a technique explained by ZDI and Halov, which exploits the MSI rollback mechanism which is designed to maintain system integrity in case of issues. By deleting and recreating it with a weak DACL and fake RBF and RBS files we can gain the ability to make arbitrary changes to the system as NT AUTHORITY\SYSTEM.
# VID
https://github.com/user-attachments/assets/58e343d2-97a4-4ca3-9deb-df911b717a57
# CREDITS
* [Halov](https://x.com/KLINIX5)
* [ZDI](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks-archive)
* [vx-underground and #ifndef hjonk](https://x.com/vxunderground/status/1876670819411407188)
文件快照
[4.0K] /data/pocs/9812dfc02b6b73580aa97852583a4d352d2feb1f
├── [4.0K] PoC
│ ├── [558K] 5eeabb3.rbs
│ ├── [2.1K] FolderOrFileDeleteToSystem.rc
│ ├── [1.3K] Header.h
│ ├── [184K] Msi_EoP.msi
│ ├── [ 20K] NtDefine.h
│ ├── [ 12K] PoC.cpp
│ ├── [1.5K] PoC.filters
│ ├── [8.5K] PoC.vcxproj
│ ├── [ 541] resource.h
│ └── [ 12K] SystemCmdLauncher.dll
├── [1.4K] PoC.sln
└── [ 888] README.md
1 directory, 12 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。